CRS-News

CRS version 4.1.0 released

Last week, we have released CRS v4.1.0. The new release is the first according to the new monthly release schedule and brings a couple of new features and fixes.

It includes quality improvements via better rule linting and fixes for false positives across a handful of rules.

And: new developer Esad Cetiner has joined the team intime for the 4.1 release.

Read the changelog here.

Let CRS 4 be your valentine!

What a Valentine’s Day present we have got for you: today, the Core Rule Set project is releasing CRS 4!

Finally, you may say – and would be absolutely right: it took us a long time to get there. But we wanted to do it right, especially after the bug bounty program we took part in left us with over 500 individual findings in roughly 180 reports. Fixing all these needed more time than we originally thought. But the result is a CRS that has never been more secure.

Microsoft Supports CRS as Gold sponsor

The OWASP ModSecurity Core Rule Set project is very happy to announce Microsoft as new GOLD sponsor. There have been sporadic contacts with the Azure WAF engineering team for several years and we are now taking the next step. Microsoft and OWASP CRS are establishing a formalized partnership in the form of a sponsoring agreement.

There is never a lack of ideas in a florishing open source project like ours. But as a lot of open source projects, we lack the user perspective to a wide extent. We write rules, but we do not really know how they behave in the real world outside of the few sites we control at our day jobs.

CRS names Felipe Zipitría as third Co-Lead

The OWASP ModSecurity Core Rule Set project is very happy to announce Felipe Zipitría as a new and third Co-Leader. Felipe joins Walter Hop and Christian Folini in his new role.

Felipe Zipitría holds a master of computer science from the University of the Republic in Montevideo, Uruguay. He worked as a system administrator for the faculty of engineering for several years and also lectures on security at the University.

CRS Project News January 2020

It’s been a while since the last CRS project news. It’s not because there was nothing to report. It’s more like too much going on and no time to sit back and write it all down.

Here are the most important things that happened since the last edition:

ModSecurity 3.0.4 has been released for NGINX. This is a security release covering a problem our project members @airween and @theMiddle have discovered. Trustwave has asked us to withhold any details for the moment, but the release of the full CVE is planned for next week. Packaging is under way as far as we can tell. If you are running ModSec3, then we strongly advise you to update ASAP and we’ll probably follow up with a separate blog post once the details are published.
Link: https://sourceforge.net/p/mod-security/mailman/message/36899090/

CRS Project News August 2019

Life is interfering and the rhythm of the CRS news is not what I would like it to be. Three months since the last edition. But the advantage is of course, that there are more news to talk about once I get to write it all up.

What has happened in recent weeks

Significant pull requests that were merged

Things that are meant to happen in the coming weeks or thereafter

  • We are planning to release CRS 3.2. Release manager Walter Hop confirmed the following plan:
    Freeze on August 19, RC1 on August 26, RC2 on September 8, release on September 24.
    Link:
    https://github.com/coreruleset/coreruleset/issues/1496#issuecomment-518348210
  • The next CRS / ModSecurity meetups in Bern, Switzerland, will be on August 28 and thereafter on October 30.
    On August 28, we’ll talk about Paranoia Levels in Practice. The program for October 30 has not been fixed yet.
    Link:
    https://www.meetup.com/CRS-ModSecurity-Meetup-Bern/
  • We are hosting a CRS Community Summit on September 25 at the RAI in Amsterdam. This is the last training day at the OWASP AppSec Global conference. This is meant for users of CRS, for integrators and committers or our project. Entry to the summit is free, but it makes sense to combine with the AppSec conference the next day of course if you make the trip to the Netherlands.
    The Summit will start in the early afternoon and we are going to have a dinner together afterwards.
    Please get in touch if you plan to attend, so we can accomodate enough seats at the RAI (and at the restaurant afterwards):
    Link:
    christian.folini / at / owasp.org
  • Christian Folini is going to present at the OWASP AppSec Global conference in Amsterdam on September 26 / 27. His talk will be about Practical CRS in high security settings.
    Link:
    https://ams.globalappsec.org/

Important pull requests in the queue

  • There is a PR for a new rule aiming at insecure unserialization in NodeJS. This is meant to be the first rule in a new rule group (REQUEST-934-APPLICATION-ATTACK-NODEJS.conf) that is going to be released together with CRS 3.2 if according to plan.
    Link:
    https://github.com/coreruleset/coreruleset/pull/1487
  • Not much more of much importance is in the queue. We have been very active with merging those last few weeks. There are just a few bugfixes here and there plus more tests.

News assembled by Christian Folini, CRS Co-Lead.

CRS Project News May 2019

We are back with the CRS project news. There was not too much to talk about in recent weeks, but now there is real content. So here we go.

What has happened in recent weeks

  • Security researcher Somdev Sangwan has looked into Regular Expression Denial of Service attacks. It is a more or less well known fact, that CRS suffers from this
    problem. Usually, it is no big deal as ModSecurity 2 used to protect from
    this type of attack. However, this protection is gone with ModSecurity 3.
    Somdev Sangwan had 5 (!) CVE against CRS created. Yet we came to the
    conclusion, that only one of them (👉 CVE-2019-11387) is directly
    exploitable and only on ModSecurity 3 at paranoia level 2 or higher. The problem is situation in two separate rules. We are now working on a solution for this issue.
    Links:
    https://nvd.nist.gov/vuln/detail/CVE-2019-11387
    https://github.com/coreruleset/coreruleset/issues/1359
    https://portswigger.net/daily-swig/unpatched-modsecurity-crs-vulnerabilities-leave-web-servers-open-to-denial-of-service-attacks
  • CRS contributor Airween has made a big effort to make sure that ModSecurity 3 passes the CRS test suite. He fixed several ModSec bugs along the way (not all of them merged yet) and he has been 100% successful with ModSec3 in combination with the Apache connector. With the nginx connector, he is really close.
    Please note that this means, that none of the released ModSec 3 versions
    are able to pass the CRS 3 test suite so far.
  • There was very little interest among the CRS developers to go to Tel Aviv in order to
    hold our CRS community summit during the OWASP AppSec Global conference there later in May. We have thus decided to shift our reunion to September and the
    OWASP AppSec conference in Amsterdam.
  • James Walker from Portswigger / Daily Swig covered the ongoing development with ModSecurity in an online article.
    Link: https://portswigger.net/daily-swig/waf-reloaded-modsecurity-3-1-showcased-at-black-hat-asia
  • We are very happy to welcome Andrea Menin / theMiddleBlue / MeninTheMiddle as a CRS developer with commit rights. The latter took a fair bit of time, but the joy is even bigger now.
  • There is a fairly new ModSecurity integration into the Envoy Proxy on Kubernetes. We have not tested it yet, though.
    Link: https://github.com/octarinesec/ModSecurity-envoy

Significant pull requests that were merged

Things that are meant to happen in the coming weeks or thereafter

  • Tin Zaw from Verizon is presenting CRS at the OWASP project showcase
    at the AppSec conference in Tel Aviv.
  • 3.1.1 is meant to be released with a backported fix for CVE-2019-11387 as soon as we have the fix.

Important pull requests in the queue

CRS Project News January 2019

We are back with the CRS project news. We’re attending the Cloudfest Hackathon in March in Germany and we have plans for another CRS Community Summit at the new OWASP AppSec Global conference in Tel Aviv at the end of May (formerly OWASP AppSecEU).

What has happened in recent weeks

  • We have reached 1500 stars on GitHub and adding more every day in a nice exponential curve. This makes us one of the most popular OWASP projects on GitHub.
    Link: https://seladb.github.io/StarTrack-js/?u=SpiderLabs&r=owasp-modsecurity-crs
  • CRS contributor Ervin Hegedüs, supported by Andrea Menin and Walter Hop, is working hard to get the CRS FTW tests to pass with ModSecurity 3 on NGINX and ModSecurity 3 on Apache. These tests are important for including Nginx with ModSecurity 3 in the next Debian release. CRS is currently using ModSecurity 2.9 on Apache as reference platform, but we need to open up for ModSecurity 3 as it is slowly maturing. Ervin and Andrea have now reached a state where over 90% of the tests pass, but they may have also discovered a bug or two in ModSecurity 3. When the work on Debian is done, we will set up our Continous Integration via Travis to run our tests against multiple platforms.
  • Angelo Conforti published an interesting piece of code that allows to generate ModSecurity Whitelisting rules based on a Swagger definition. This could be very interesting for securing APIs on top of CRS. This is a work in progress, but it looks promising and I am sure testing is welcome.
    Link: https://github.com/angeloxx/swagger2modsec

Significant pull requests that were merged

When we stated development had picked up nicely after the release 3.1 the statement contained a lot of hope. But looking over the last four weeks makes it clear that we have indeed accelerated.

CRS Project News December 2018

I hope everybody has a few calm days to finish the year. CRS is finishing the year enjoying the 3.1 release and an adjustment to the PHP rules that closes a nasty hole in the detection.

What has happened in recent weeks

  • CRS 3.1 has been released bringing new rules to detect Java injections and an easier way to deal with paranoia levels. More changes in the announcement.
    Link: /20181128/announcement-owasp-modsecurity-core-rule-set-version-3-1-0/
  • CRS Co-Lead Christian Folini taught two CRS crash courses together with David Jardin from Siwecos in Bern and Zurich, Switzerland. The course was sponsored by Switch (The Swiss NIC) and addressed internet hosters. One result was a new initiative to run a workshop at the Cloudfest conference in late March to come up with a CRS profile that works for internet hosters. There will be a separate announcement, when we know more.
  • CRS committer Franziska Bühler pubished a blog post introducing the extensions for the official CRS docker container that she developed. The extensions allow you to configure a CRS container including the backend connection from the command line.
    Link: /20181212/core-rule-set-docker-image/
  • CRS Co-Lead Christian published an asciinema demo video illustrating Franziska’s work.
    Link: https://asciinema.org/a/0JDnaO1Wi42sIYpgJzoYbCdtn
  • The American company Gridvision published a success story how they secured their WordPress setup with CRS.
    Link(Outdated): “gridvision.net/projects/nginx-modsecurity-and-project-honeypot”
  • CRS contributor TheMiddle published a blog post with WAF bypasses aiming for PHP. As usual, CRS was doing better than many other WAFs, but there is a particularly sinister bypass we did not detect in lower paranoia levels (more news about this below).
    Link: https://www.secjuice.com/php-rce-bypass-filters-sanitization-waf/

Significant pull requests that were merged

With the 3.1 release out the door, the development for 3.2 was immediately revived. Pull requests are coming in nicely now.

CRS Project News November 2018

The plan is to do this newsletter every month, but it’s already November. The reason is the pending 3.1 release, so I waited for the release to happen and then it did not and suddenly October was over. But now we have a 3.1-RC2 and a strong belief that 3.1 will come out for good on Sunday November 24.

What has happened in recent weeks

Significant pull requests that were merged

Things that are meant to happen in the coming weeks

  • We plan to release CRS 3.1 on Sunday November 24.
  • There are going to be two separate one-day ModSecurity / CRS courses for ISPs / Hosters focusing on CMS. Christian Folini and David Jardin from SIWECOS will teach both courses on invitation by SWITCH. The first course will be on December 5 in Bern, Switzerland and the second course will be on December 6 in Zurich, Switzerland. Link: https://swit.ch/CMS_Bern Link: https://swit.ch/CMS_Zurich
  • CRS developer Franziska Bühler is working on her docker container. She is adding CLI support for all the CRS variables during “docker create”. This means you will be able to create and configure a CRS WAF container on the fly with a one-liner. This is meant to be merged into the official CRS docker container eventually. Link: https://hub.docker.com/r/franbuehler/modsecurity-crs-rp/
  • The next Monthly Community Chat will be held on December 3, 2018, at 20:30 CET in the #coreruleset channel in the OWASP Slack. A link to a slack invite can be found in the agenda linked below. Please use this agenda issue on github to schedule topics for discussion. Link: https://owasp.slack.com
    Link: https://github.com/coreruleset/coreruleset/issues/1238
  • CRS developer Felipe Zipitria has volunteered to come up with a proposal to have CRS swag produced via an online print-on-demand shop. Desired items include posters, stickers, buttons, T-Shirts, ideally the full program. Link: https://github.com/OWASP/owasp-swag

Important pull requests in the queue

CRS Project News September 2018

We skipped the monthly news in August as the 3.1-RC release had been delayed into September. But here we go again with the mostly monthly newsletter of the CRS project.

The most important news is the publication of the release candidate 1 for CRS 3.1.

What has happened in recent weeks

Significant pull requests that were merged

  • Development has been shifted to the new 3.2 branch, that has been declared master
  • Walter Hop contributed 2 new strings to the list of Java Struts namespaces for use in the new 944130 rule
    Link: https://github.com/coreruleset/coreruleset/pull/1177
  • Other than that, everybody is waiting for new issues popping up with the 3.1-RC release but it has been quiet on that front so far.

Things that are meant to happen in the coming weeks

  • We plan to release CRS 3.1 in October unless we see any road blockers.
  • There is a strange bug that a PL2 rule among the new Java rules in CRS 3.1-RC1 triggers. If it is a bug, it’s rather a ModSecurity bug, but it’s completely unclear how this is happening as reproduction has been very cumbersome so far. What is clear it happens in connection with chunked transfer encoding of JSON payloads at PL2 and higher. So it is a rather peculiar situation that is relatively rare.
    Link: https://github.com/coreruleset/coreruleset/issues/1185

Important pull requests in the queue

CRS Project News July 2018

We are launching the monthly news anew. The idea is to look beyond the pure CRS development again and to bring you additional information that touch on our project. As the editor, I (-> Christian Folini) am planning to release this in the first half of the month. This did not work in July, though, but I have a very cute excuse: She’s called Giovanna and she is only a couple of days old. We’re going to be a bit earlier in August, but also less news apparently.

CRS Project News September 2017

This is the CRS newsletter covering the period from mid August until today.

What has happened during the last few weeks:

  • We held our community chat last Monday. Chaim was high in the air so we were only six of us, but Manuel was back so I get the feeling we are slowly growing the project. The big project administration and governance discussions seem to be over for the moment. So we spent a lot of time talking about development, possible roadblocks and code policies.
    The next community chats will be held on the following dates: